Targeted Attack Protection: A Review of Endgame’s Endgame...Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform. Testing Overview (CONTINUED) SANS ANALYST PROGRAM 3 Targeted Attack

  • Published on
    15-Apr-2018

  • View
    213

  • Download
    1

Embed Size (px)

Transcript

<ul><li><p>2017 SANS Institute</p><p>A SANS Product ReviewWritten by Dave Shackleford</p><p>October 2017</p><p>Sponsored by Endgame</p><p>Targeted Attack Protection: A Review of Endgames Endpoint Security Platform</p></li><li><p>The threat landscape continues to get progressively worse. More sophisticated attacks are being spotted in the wild, and security teams are scrambling to keep up. We face many new types of issuesadvanced phishing attacks are proving all too successful, and ransomware has become a common form of malware that many seem helpless to prevent. In addition, we have many endpoints to protect, and attackers are savvy about targeting end users. Even worse, many advanced attacks dont involve malware; instead they use legitimate operating system tools, operate in memory and move laterally to accomplish their objectives and defeat traditional security programs.</p><p>In the SANS Next-gen Endpoint Risks and Protections survey1 from 2017, 53 percent of respondents indicated that at least one of their endpoints had been compromised in the previous 24 months, primarily through browser exploits and social engineering. More than one-quarter (27 percent) of those who experienced a compromise noted that they discovered it via third-party notification, which suggests that many endpoint security tools and tactics in use today are inadequate. We really need better prevention and detection tools right now. </p><p>Yesterdays signature-based detection tools are failing us more frequently because they are built upon reactive intelligence. Traditional antivirus signatures are proving less effective than they once were, as more advanced attackers are capable of morphing their code and indicators of compromise to evade signature-based methods. Additionally, many security teams have focused too narrowly on malware without looking enough at the vast variety of newer, more advanced methods attackers are using. </p><p>Many attacks dont leverage any malware to compromise the enterprise network and move laterally from host to host. Some attacks use legitimate tools such as PowerShell to avoid detection by endpoint security platforms. Another problem is that many endpoint tools are fairly heavy-handed on system resources. </p><p>SANS reviewed Endgames endpoint protection product, a lightweight agent that offers prevention, detection and response, and threat hunting capabilities to rapidly stop targeted attacks before damage and loss occur. One of the primary goals of the platform is to help overcome todays security skills gap, which many SANS surveys show is the top inhibitor to achieving respondents security and risk management goals. </p><p>With its emphasis on ease of use, coverage of attacker tactics and techniques, rapid event triage and highly capable hunting methods, Endgame is a product with which SOC teams can hit the ground running.</p><p>SANS ANALYST PROGRAMTargeted Attack Protection: A Review of Endgames Endpoint Security Platform1</p><p>Introduction</p><p>1 Next-Gen Endpoint Risks and Protections: A SANS Survey, March 2017, www.sans.org/reading-room/whitepapers/analyst/next-gen-endpoint-risks-protections-survey-37652</p><p>Endgame Differentiators</p><p> Pre-execution prevention, accelerated detection and automated hunting across the breadth and depth of the MITRE ATT&amp;CK Matrix</p><p> Single, lightweight, autonomous agent providing 24/7 protection to online and offline systems </p><p> Artemis, an AI-powered security mentor that elevates Tier 1 analysts and accelerates Tier 3 analysts by leveraging natural-language understanding to automate data analysis, investigation, triage and response at enterprise scale</p><p> Automated threat hunting that leverages tradecraft analytics and outlier analytics to streamline workflows and surface suspicious artifacts across millions of records in minutes</p><p> Automated memory forensics that detects post-injected code anywhere in memory at enterprise scale in minutes</p><p>Signature-based </p><p>detection is always a </p><p>race against the clock, </p><p>where vendor analysts </p><p>need to develop </p><p>signatures fast and </p><p>push them out to </p><p>customers before they </p><p>fall victim. </p></li><li><p>Testing Overview </p><p>SANS ANALYST PROGRAM2</p><p>For this review, Endgame hosted a platform-in-the-cloud infrastructure. We used the Version 2.4.1 environment, which includes the autonomous agents and the software management platform. Because we chose the Endgame hosted delivery model, we did not need to install the main Endgame platform. Endgame offers the platform in an on-premises model or in a cloud-hosted environment. Installation seems relatively painless, and the documentation provided by Endgame for installation and Quick Start is thorough and detailed. </p><p>The review environment included a primary connection to the Endgame platform, as well as Remote Desk Protocol (RDP) connections available via jump hosts to the Windows sensors. A plethora of malware and other malicious code was available in the environment for testing, which SANS made liberal use of during the course of the review. </p><p>Dashboards</p><p>We first logged into the Endgame console and explored the main dashboard. It showed us a breakdown of current alerts in the environment, endpoint agent status, and endpoint OS types. In addition, other panes in the dashboard showed the breakdown of the top priority alerts, which could help analysts in prioritizing their day. The console dashboard is shown in Figure 1.</p><p>Figure 1. Enterprise Console Dashboard</p><p>Targeted Attack Protection: A Review of Endgames Endpoint Security Platform</p><p>Figure 1. Enterprise Console Dashboard</p></li><li><p>Testing Overview (CONTINUED)</p><p>SANS ANALYST PROGRAM3 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform</p><p>We explored the Endpoints dashboard next. Within this view, all deployed endpoint agents can be viewed, configured and assessed. The Endpoints dashboard is shown in Figure 2.</p><p>Figure 2. Endpoints Dashboard</p><p>The Endpoints dashboard was simple to use. Endpoints can be discovered with Endgames built-in network scanner, looking for systems within the environment. Endpoints that do not have Endgame agents are flagged as Unmanaged and can then have sensors deployed to them directly through the console, per policy. </p><p>Configure Endpoints</p><p>Analysts can configure the endpoints with a protection policy by selecting those they want to configure or modify, then choosing Misc Actions and finally Configure. The configuration window then opens, and various protection, detection, alerting and response configurations for the chosen agent(s) can be implemented in real time. These will each be covered in the respective sections discussing the capabilities of the product. </p><p>Figure 2. Endpoints Dashboard</p></li><li><p>Testing Overview (CONTINUED)</p><p>SANS ANALYST PROGRAM4 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform</p><p>Investigate and Hunt</p><p>This dashboard also allows analysts to initiate investigations by choosing assets and then clicking Create Investigation. In the pane that appears, they can name the investigation, assign a profile or create a new one, assign analysts to the investigation and add hunts to the investigation to gather and include evidence (covered later). The Investigation pane is shown in Figure 3.</p><p>Figure 3. Initiating an Investigation</p><p>The Alerts dashboard presents a list of the current and most recent alerts noted by the system. These can be selected to drill into and triage each alert, and alerts can also be selected to assign to particular users, facilitating team-based analysis, triage and incident response. The Alerts dashboard is shown in Figure 4 on the next page.</p></li><li><p>Testing Overview (CONTINUED)</p><p>SANS ANALYST PROGRAM5 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform</p><p>Figure 4. Alerts Dashboard</p><p>The Investigations dashboard is the central location that aggregates investigations in progress (once initiated). Analysts can update and finalize (archive) their investigations from this pane. </p><p>Administration </p><p>The final area of the console that we explored was the Administration pane. The Administration console provides the following capabilities:</p><p> User managementCreate, delete and manage users and their assigned roles (levels 1-3, as well as admin)</p><p> Sensor managementCreate and manage sensor profiles (version, protections in place and specific configuration of deployment attributes)</p><p> Alert managementTransfer alerts to central event aggregation tools if needed</p><p> Whitelist managementWhitelist alerts to prevent event overload when false positives or low-severity issues are detected</p><p> Platform managementEnable multi-client activation, which provides customers a single dashboard to view the health and status of the endpoints; this is beneficial to customers who have more than 50,000 endpoints or have endpoints in various geographies</p><p>Creating a new sensor profile was simple. In the Sensor Management pane of the Administration console, an admin can click Create New Sensor Profile, name the profile and point to a transceiver (the platform it will connect back to). Then the admin selects the binary for the preferred Endgame sensor version, and thats it. Once the new sensor profile is created, the admin can configure the default protection controls in place for the sensors. These are covered in more detail in the upcoming sections. </p><p>Figure 4. Alerts Dashboard</p></li><li><p>Endgame Prevention, Detection and Response, and Threat Hunting</p><p>SANS ANALYST PROGRAM6 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform</p><p>Today, an attackers goals are data access and exfiltration. Sophisticated attackers often use advanced nation-state techniques, which sometimes do not involve any malware, to aggressively pursue and compromise specific targets. These attacks often include fileless tactics, living-off-the-land techniques and malicious macros with delivery mechanisms via social engineering tactics such as spearphishing. After a compromise has occurred, attackers attempt to maintain a persistent presence within the enterprise network, escalate privileges and move laterally within to extract sensitive information to locations under the attackers control. </p><p>Advanced Attacks</p><p>The Lockheed Martin Kill Chain is an industry model for an attack lifecycle that includes the stages shown in Figure 5:2 </p><p>Figure 5. Lockheed Martin Kill Chain Attack Lifecycle</p><p>2 Deconstructing the Cyber Kill Chain, Nov. 18, 2014, www.darkreading.com/attacks-breaches/deconstructing-the-cyber-kill-chain/a/d-id/1317542</p></li><li><p>Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)</p><p>SANS ANALYST PROGRAM7 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform</p><p>While the widely referenced Lockheed Cyber Kill Chain created a common language to discuss sophisticated attacks, it lacks the granularity essential to make comprehensive programmatic improvement against todays targeted attacks. MITRE, a not-for-profit organization, has created that needed granularity, collecting details on the vast array of methods to build a threat model and framework called Adversarial Tactics, Techniques, and Common Knowledge (ATT&amp;CK).3</p><p>Why are we not catching these movements today when we know so much about these patterns? In short, attacks and methods are constantly changing, but our tools and approaches arent. To understand why, its helpful to break down indicators of compromise. For organizations trying to leverage signatures and typical indicators of compromise (IOCs), security detection and prevention are a constant game of whack-a-mole if the usual simple indicators are used alone. An attacker can very easily modify code to communicate with a different IP address or domain, leverage a different local port or present a different cryptographic hash value. </p><p>In contrast, behavioral aspects of attacks are by far the most valuable knowledge to have in preventing and detecting compromise scenarios, but they are much more difficult to create and describe. In turn, this makes it more difficult to automate and unify the systems, each of which holds a little information about these attacks but doesnt show the whole picture. Behavioral indicators will often include multiple indicators; for example, a certain IP address is accessed, retrieves a known ZIP file, unpacks and drops certain files, and installs software that opens a port or creates a new registry key.</p><p>Full Stack Protection</p><p>Endgame offers a number of advanced features for the prevention of targeted attacks against enterprises, and these align with the various stages of the ATT&amp;CK model. During our review, we tested several of the zero-day-prevention capabilities offered in the product, and it successfully caught each attempt, provided us advanced intelligence that included detailed indicators of compromise and system-level aspects of the attempt, and automated remediation workflow. Endgame has advanced protections that include exploit prevention, malware prevention, fileless attack prevention, malicious macro prevention and ransomware prevention. </p><p>3 Adversarial Tactics, Techniques and Common Knowledge, https://attack.mitre.org/wiki/Main_Page </p><p>By changing the name </p><p>and/or value of a </p><p>specific registry key on </p><p>a Windows platform, </p><p>attackers can easily </p><p>bypass some of the </p><p>endpoint detection </p><p>technologies in </p><p>use today.</p></li><li><p>Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)</p><p>SANS ANALYST PROGRAM8 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform</p><p>Endgame has developed a unique technique it calls Hardware Assisted Control Flow Integrity (HA-CFI). This technology uses hardware features available in processors to monitor and prevent exploitation before code execution. By leveraging hardware features, Endgame prevents exploits before an attacker reaches the Post-Exploitation stage of the Kill Chain (and the beginning of the ATT&amp;CK cycle). </p><p>Another feature Endgame touts is enhanced Dynamic Binary Instrumentation (DBI), which allows for very early-stage detection of exploits. This feature allows the product to detect malicious macros through heuristics-based prevention, closely monitor fileless attacks for process injection and look at behaviors for file activity that may indicate ransomware and similar attacks. </p><p>Figure 6 shows the configuration of exploit protections within the Endgame sensor configuration screen.</p><p>Figure 6. Endpoint Exploit Protection and Prevention </p></li><li><p>Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)</p><p>SANS ANALYST PROGRAM9 Targeted Attack Protection: A Review of Endgames Endpoint Security Platform</p><p>These protections are enabled by editing the Sensor configuration policy mentioned earlier. In the Exploit Protection category, analysts can enable HA-CFI and/or DBI to detect and prevent exploits and malware on each endpoint. A range of protections is available, including API filtering, monitoring for macros with heuristics, monitoring stack memory and many more.</p><p>Figure 7 shows a prevention alert with a process injection and also highlights the source process and the target process infected.</p><p>Figure 7. Endpoint...</p></li></ul>

Recommended

View more >